You are in charge of the maintenance of AWS resources.
CloudTrail has been enabled in your AWS Organization, and events have been delivered to a CloudWatch Log group.
You want to use the CloudTrail logs to monitor the configuration changes of EC2 security groups, and any security group change events should trigger a CloudWatch alarm.
How would you configure this most easily?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
Option A is incorrect because this option needs to configure a new Lambda function and trigger it periodically.
It is not the easiest option.
Option B is incorrect because, in the CloudTrail console, you cannot directly select the CloudWatch Log group and configure the CloudWatch alarm.
Option C is CORRECT because users can easily configure a metric filter with the filter pattern for the security group configuration changes and configure a CloudWatch alarm afterward.
Option D is incorrect because Amazon Athena should work with S3 for users to query data through standard SQL.
Athena doesn't perform such filter configuration.
Reference:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html#cloudwatch-alarms-for-cloudtrail-security-groupThe correct answer is C. In the CloudWatch Log group, create a metric filter that defines the security group change events. Create a CloudWatch alarm with the metric filter.
Here's a detailed explanation for why C is the correct answer:
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. It records AWS API calls and delivers log files to an S3 bucket, CloudWatch Logs group, and CloudWatch Events. CloudWatch is a monitoring service that provides data and actionable insights for AWS resources and the applications you run on them. It collects and tracks metrics, logs, and events, and enables you to monitor, troubleshoot, and take automated actions on your AWS resources.
When CloudTrail is enabled in your AWS Organization, it delivers events to a CloudWatch Log group. You can use CloudWatch Logs to store, monitor, and access your log files from EC2 instances, AWS services, and custom applications. You can also create metric filters and alarms to monitor specific log events and trigger automated actions based on predefined thresholds.
To monitor the configuration changes of EC2 security groups using CloudTrail logs and trigger a CloudWatch alarm, you can follow these steps:
javascript{ $.eventName = AuthorizeSecurityGroupIngress } || { $.eventName = AuthorizeSecurityGroupEgress } || { $.eventName = RevokeSecurityGroupIngress } || { $.eventName = RevokeSecurityGroupEgress } This filter pattern matches any CloudTrail log event that contains one of the four EC2 security group change events: AuthorizeSecurityGroupIngress, AuthorizeSecurityGroupEgress, RevokeSecurityGroupIngress, and RevokeSecurityGroupEgress. You can modify this filter pattern to match your specific security group change events.
Once you create your CloudWatch alarm, it starts monitoring your CloudTrail logs for security group change events. When a security group change event occurs, CloudWatch triggers your alarm and sends a notification to your specified targets, such as an email address or an SNS topic. You can also configure your alarm to take automated actions, such as invoking an AWS Lambda function or sending a message to an SQS queue.